Archives

June 5, 2020

Centralized stupidity

private-eye-contact-tracing.jpegAs a friend with greater experience with lockdowns might have said, when you see one coming be careful not only who you get locked down with, but where. People with strong local neighborhoods and personal relationships with independent local shops have had a vastly easier time through the last couple of months than most others.

My lifetime has seen everything progressively centralize. In the 1970s, someone living in Ithaca, New York, population about 30,000, could visit the phone company and negotiate billing with the same woman they dealt with several months previously. The guy who came to read the electric meter this month was the same guy you saw every month. And when you called the telephone operator to check on a phone number, they would confirm the address and speculate with you how to get there because they knew your town. Forty years later, if you *can* make a call to a utility company you're probably dealing with someone to whom your town is a dot they can't find on a map...

...which all brings me to this week, when a Twitter account that seemed to be from the National Health Service posted a note to the effect that we might get a message or call from "NHS" and if we did we should follow the instructions. The tweet also published the number we could expect to hear from. Because the immediate follow-up was a few people saying they would immediately block the number, I commented that the smart thing to do seemed to me to be to put the number in a phone's contacts so the call would be recognized.

But, the security folks reminded: SIM spoofing. True. Hello, phishing attacks.

Does the NHS employ no security experts?

Here are the NHS's published instructions for what to do if you're contacted. Note what's missing: a way to verify the call is genuine. Sure, they tell you they won't ask for bank details or other accounts, payment, or ask you to call premium rate numbers or set up a password or PIN over the phone. But they still miss the main point; that is, like a celebrity they still assume that because any call they make will be genuine, any call you get will be genuine. This is Ravenous Bugblagger Beast of Traal reasoning. I recommend wrapping a towel around your head.

As others have pointed out, you could quite effectively mount a denial-of-livelihood attack on someone by reporting them as an exposed contact so they are required to self-isolate for 14 days. Even 30 years ago the world contained people highly skilled at the kind of social engineering that would enable someone to pose effectively as a contact tracer. The NHS needs to do the obvious: publish a number people can call back to verify.

The press appeared to understand the possibilities, and had this exchange with the deputy chief medical officer for England, Jenny Harris:

A question about how to know if a track and trace call is genuine, one person asks. Harries says there is a lot of confidentiality and it will be unlikely you will be contacted by someone with other motives. She says it will be clear that they are genuine - they are professionally trained individuals.

I don't know how to rate the ignorant stupidity of this comment. The satirical magazine Private Eye, however, managed (see above).

This gathering of power to the center was on display elsewhere this week, as Jacob Rees-Mogg, the leader of the House of Commons, pushed to end remote participation and voting in Parliamentary debates. No one is saying that remote participation is ideal, but it *does* permit MPs to represent their constituents who shouldn't be traveling and taking health risks. Even more ridiculous is Rees-Mogg's refusal to countenance electronic voting, with replacement arrangements so absurd and time-wasting that one can only assume he fears losing control otherwise.

Contact tracing is one area where staying local makes all the difference. Anyone who lives in my little area, for example, would know to ask a senior testing positive whether they've been to the local club that (normally) provides classes (dancing, Pilates, photography), social lunches, and entertainment to hundreds of people, chiefly seniors. They know the local independent shops are community hubs as well as sources of essential items and would ask which ones the infected person uses. And they know the spot where homeless people who might struggle to find testing are often to be found selling The Big Issue. The local council, which UK epidemiologists have repeatedly said has the necessary contact tracing expertise, knows all this. Serco certainly doesn't.

We've written before about the dangers of centralizing the Net. What we've previously failed to recognize is how dangerous it can be when combined with politically convenient stupidity.

The UK government, which has been gathering power to the center ever since Margaret Thatcher disbanded the Greater London Council, is outsourcing contact tracing to Serco, which has proved so inept as to be genuinely dangerous. The result is to treat contact tracin contact tracing as if it were calls to customer service at a phone company an to mistake efficiency for effectiveness. Centralization was bad for the Internet. It's even worse for real life.


Illustrations: Private Eye explains contact tracing.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.